diff --git a/manifests/bootstrap.pp b/manifests/bootstrap.pp index 3a8cf7e05..3f4606f2f 100644 --- a/manifests/bootstrap.pp +++ b/manifests/bootstrap.pp @@ -57,8 +57,7 @@ # Defaults to 'public' # class keystone::bootstrap ( - # TODO(tobias-urdin): Make the password required when compat is removed. - $password = undef, + $password, $username = 'admin', $email = 'admin@localhost', $project_name = 'admin', @@ -74,134 +73,9 @@ class keystone::bootstrap ( include ::keystone::deps - # TODO(tobias-urdin): Remove compat layer. - if $password == undef { - if defined('$::keystone::admin_password') and $::keystone::admin_password != undef { - $password_real = $::keystone::admin_password - warning('Using deprecated keystone::admin_password as admin password') - # Check if we differ from the roles admin pw - if defined('$::keystone::roles::admin::password') and $::keystone::roles::admin::password != $password_real { - warning('The keystone::admin_password and keystone::roles::admin::password differs and will cause a flip-flopping\ - behaviour and authentication issues for the admin user.') - } - } elsif defined('$::keystone::admin_token') and $::keystone::admin_token != undef { - $password_real = $::keystone::admin_token - warning('Using deprecated keystone::admin_token as admin password') - # Check if we differ from the roles admin pw - if defined('$::keystone::roles::admin::password') and $::keystone::roles::admin::password != $password_real { - warning('The keystone::admin_token and keystone::roles::admin::password differs and will cause a flip-flopping\ - behaviour and authentication issues for the admin user.') - } - } else { - # Check the keystone::roles::admin class as well. - if defined('$::keystone::roles::admin::password') and $::keystone::roles::admin::password != undef { - $password_real = $::keystone::roles::admin::password - warning('Using deprecated keystone::roles::admin::password as admin password') - } else { - fail('keystone::bootstrap::password is undef, could not resolve a password') - } - } - } else { - $password_real = $password - } - if defined('$::keystone::endpoint::public_url') and $::keystone::endpoint::public_url != undef { - $public_url_real = $::keystone::endpoint::public_url - $using_deprecated_public_url = true - warning('Using deprecated keystone::endpoint::public_url, please update to using keystone::bootstrap') - } else { - $public_url_real = $public_url - $using_deprecated_public_url = false - } - if defined('$::keystone::endpoint::internal_url') and $::keystone::endpoint::internal_url != undef { - $internal_url_final = $::keystone::endpoint::internal_url - $using_deprecated_internal_url = true - warning('Using deprecated keystone::endpoint::internal_url, please update to using keystone::bootstrap') - } else { - $internal_url_final = $internal_url - $using_deprecated_internal_url = false - } - if defined('$::keystone::endpoint::admin_url') and $::keystone::endpoint::admin_url != undef { - $admin_url_real = $::keystone::endpoint::admin_url - warning('Using deprecated keystone::endpoint::admin_url, please update to using keystone::bootstrap') - } else { - $admin_url_real = $admin_url - } - if defined('$::keystone::endpoint::region') and $::keystone::endpoint::region != undef { - $region_real = $::keystone::endpoint::region - warning('Using deprecated keystone::endpoint::region, please update to using keystone::bootstrap') - } else { - $region_real = $region - } - if !$using_deprecated_internal_url and $internal_url == undef and $using_deprecated_public_url { - warning('Using deprecated keystone::endpoint::public_url for keystone::bootstrap::internal_url') - } - if defined('$::keystone::roles::admin::admin') and $::keystone::roles::admin::admin != undef { - $username_real = $::keystone::roles::admin::admin - if $username_real != $username and $username == 'admin' { - warning('Using keystone::roles::admin::admin as username, the keystone::bootstrap::username default is different\ - dont forget to set that later') - } - } else { - $username_real = $username - } - if defined('$::keystone::roles::admin::email') and $::keystone::roles::admin::email != undef { - $email_real = $::keystone::roles::admin::email - if $email_real != $email and $email == 'admin@localhost' { - warning('Using keystone::roles::admin::email as email, the keystone::bootstrap::email default is different\ - dont forget to set that later') - } - } else { - $email_real = $email - } - if defined('$::keystone::roles::admin::admin_roles') and $::keystone::roles::admin::admin_roles != undef { - $role_name_real = $::keystone::roles::admin::admin_roles - warning("Using keystone::roles::admin::admin_roles with value ${role_name_real} note that the\ - keystone::bootstrap when used will only set a single role, by default the 'admin' role.") - warning('Will use the first value in admin_roles for bootstrap and all (if multiple) for all other resources!') - if is_array($role_name_real) { - $bootstrap_role_name = $role_name_real[0] - } else { - $bootstrap_role_name = $role_name_real - } - } else { - $role_name_real = [$role_name] - $bootstrap_role_name = $role_name - } - if defined('$::keystone::roles::admin::admin_tenant') { - $admin_tenant = $::keystone::roles::admin::admin_tenant - if ($admin_tenant == undef or $admin_tenant == 'openstack') { - # Try to keep the backward compatible creation of the openstack project. - # We still create the 'admin' project with the bootstrap process below. - # This is a best effort, we still ignore the description and default domain. - ensure_resource('keystone_tenant', 'openstack', { - 'ensure' => 'present', - 'enabled' => true, - }) - ensure_resource('keystone_user_role', "${username_real}@openstack", { - 'ensure' => 'present', - 'roles' => $role_name_real, - }) - - # Use the default value so we create the "admin" project - $project_name_real = $project_name - } else { - warning('Using keystone::roles::admin::admin_tenant as project name for admin') - $project_name_real = $admin_tenant - } - } else { - $project_name_real = $project_name - } - if defined('$::keystone::roles::admin::service_tenant') and $::keystone::roles::admin::service_tenant != undef { - warning('Using keystone::roles::admin::service_tenant as service project name') - $service_project_name_real = $::keystone::roles::admin::service_tenant - } else { - $service_project_name_real = $service_project_name - } - # Compat code ends here. - - $internal_url_real = $internal_url_final ? { - undef => $public_url_real, - default => $internal_url_final + $internal_url_real = $internal_url ? { + undef => $public_url, + default => $internal_url } if defined('$::keystone::keystone_user') { @@ -216,15 +90,15 @@ class keystone::bootstrap ( exec { 'keystone bootstrap': command => 'keystone-manage bootstrap', environment => [ - "OS_BOOTSTRAP_USERNAME=${username_real}", - "OS_BOOTSTRAP_PASSWORD=${password_real}", - "OS_BOOTSTRAP_PROJECT_NAME=${project_name_real}", - "OS_BOOTSTRAP_ROLE_NAME=${bootstrap_role_name}", + "OS_BOOTSTRAP_USERNAME=${username}", + "OS_BOOTSTRAP_PASSWORD=${password}", + "OS_BOOTSTRAP_PROJECT_NAME=${project_name}", + "OS_BOOTSTRAP_ROLE_NAME=${role_name}", "OS_BOOTSTRAP_SERVICE_NAME=${service_name}", - "OS_BOOTSTRAP_ADMIN_URL=${admin_url_real}", - "OS_BOOTSTRAP_PUBLIC_URL=${public_url_real}", + "OS_BOOTSTRAP_ADMIN_URL=${admin_url}", + "OS_BOOTSTRAP_PUBLIC_URL=${public_url}", "OS_BOOTSTRAP_INTERNAL_URL=${internal_url_real}", - "OS_BOOTSTRAP_REGION_ID=${region_real}", + "OS_BOOTSTRAP_REGION_ID=${region}", ], user => $keystone_user, path => '/usr/bin', @@ -238,40 +112,40 @@ class keystone::bootstrap ( # use the below resources to make sure the current resources are # correct so if some value was updated we set that. - ensure_resource('keystone_role', $role_name_real, { + ensure_resource('keystone_role', $role_name, { 'ensure' => 'present', }) - ensure_resource('keystone_user', $username_real, { + ensure_resource('keystone_user', $username, { 'ensure' => 'present', 'enabled' => true, - 'email' => $email_real, - 'password' => $password_real, + 'email' => $email, + 'password' => $password, }) - ensure_resource('keystone_tenant', $service_project_name_real, { + ensure_resource('keystone_tenant', $service_project_name, { 'ensure' => 'present', 'enabled' => true, }) - ensure_resource('keystone_tenant', $project_name_real, { + ensure_resource('keystone_tenant', $project_name, { 'ensure' => 'present', 'enabled' => true, }) - ensure_resource('keystone_user_role', "${username_real}@${project_name_real}", { + ensure_resource('keystone_user_role', "${username}@${project_name}", { 'ensure' => 'present', - 'roles' => $role_name_real, + 'roles' => $role_name, }) ensure_resource('keystone_service', "${service_name}::identity", { 'ensure' => 'present', }) - ensure_resource('keystone_endpoint', "${region_real}/${service_name}::identity", { + ensure_resource('keystone_endpoint', "${region}/${service_name}::identity", { 'ensure' => 'present', - 'public_url' => $public_url_real, - 'admin_url' => $admin_url_real, + 'public_url' => $public_url, + 'admin_url' => $admin_url, 'internal_url' => $internal_url_real, }) @@ -289,19 +163,19 @@ class keystone::bootstrap ( } if $interface == 'admin' { - $auth_url_real = $admin_url_real + $auth_url_real = $admin_url } elsif $interface == 'internal' { $auth_url_real = $internal_url_real } else { - $auth_url_real = $public_url_real + $auth_url_real = $public_url } keystone::resource::authtoken { 'keystone_puppet_config': - username => $username_real, - password => $password_real, + username => $username, + password => $password, auth_url => $auth_url_real, - project_name => $project_name_real, - region_name => $region_real, + project_name => $project_name, + region_name => $region, interface => $interface, } } diff --git a/manifests/endpoint.pp b/manifests/endpoint.pp deleted file mode 100644 index d5a2e1eb1..000000000 --- a/manifests/endpoint.pp +++ /dev/null @@ -1,74 +0,0 @@ -# == Class: keystone::endpoint -# -# DEPRECATED! -# -# Creates the auth endpoints for keystone -# -# === Parameters -# -# [*public_url*] -# (optional) Public url for keystone endpoint. -# Defaults to undef -# This url should *not* contain any version or trailing '/'. -# -# [*internal_url*] -# (optional) Internal url for keystone endpoint. -# Defaults to undef -# This url should *not* contain any version or trailing '/'. -# -# [*admin_url*] -# (optional) Admin url for keystone endpoint. -# Defaults to undef -# This url should *not* contain any version or trailing '/'. -# -# [*region*] -# (optional) Region for endpoint. -# Defaults to undef -# -# [*user_domain*] -# (Optional) Domain for $auth_name -# Defaults to undef (use the keystone server default domain) -# -# [*project_domain*] -# (Optional) Domain for $tenant (project) -# Defaults to undef (use the keystone server default domain) -# -# [*default_domain*] -# (Optional) Domain for $auth_name and $tenant (project) -# If keystone_user_domain is not specified, use $keystone_default_domain -# If keystone_project_domain is not specified, use $keystone_default_domain -# Defaults to undef -# -# [*version*] -# (optional) API version for endpoint. -# Defaults to undef. -# -# === Examples -# -# class { 'keystone::endpoint': -# public_url => 'https://154.10.10.23:5000', -# internal_url => 'https://11.0.1.7:5000', -# admin_url => 'https://10.0.1.7:5000', -# } -# -class keystone::endpoint ( - $public_url = undef, - $internal_url = undef, - $admin_url = undef, - $region = undef, - $user_domain = undef, - $project_domain = undef, - $default_domain = undef, - $version = undef, -) { - - warning('The keystone::endpoint class has been replaced with keystone::bootstrap class\ - will try to use the backward compatible approach') - - if !defined('$::keystone::roles::admin::admin_tenant') { - fail('You are using the backward compatible approach instead of keystone::bootstrap\ - you need to ensure that keystone::roles::admin is defined BEFORE keystone::endpoint in your manifest') - } - - include keystone::bootstrap -} diff --git a/manifests/init.pp b/manifests/init.pp index 37901dadd..27d7f9d59 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -456,23 +456,6 @@ # (Optional) The url to validate keystone against # Defaults to undef # -# [*admin_token*] -# Admin token that can be used to authenticate as a keystone -# admin. This is not the password for the admin user -# in the Keystone database. This is a token that bypasses authentication. -# Defaults to undef -# -# [*admin_password*] -# Keystone password for the admin user. This is not the admin_token. -# This is the password that the admin user signs into keystone with. -# Defaults to undef -# -# [*enable_bootstrap*] -# (Optional) Enable keystone bootstrapping. -# This option to true will automatically bootstrap the default domain -# user by running 'keystone-manage bootstrap'. -# Defaults to undef -# # [*database_min_pool_size*] # (Optional) Minimum number of SQL connections to keep open in a pool. # Defaults to: undef @@ -652,9 +635,6 @@ class keystone( $validate_insecure = undef, $validate_auth_url = undef, $validate_cacert = undef, - $admin_token = undef, - $admin_password = undef, - $enable_bootstrap = undef, $database_min_pool_size = undef, $cache_backend = undef, $cache_backend_argument = undef, @@ -775,11 +755,6 @@ class keystone( purge => $purge_config, } - # TODO(tobias-urdin): Remove this when admin_token is removed. - keystone_config { - 'DEFAULT/admin_token': ensure => 'absent', secret => true; - } - keystone_config { 'DEFAULT/member_role_id': value => $member_role_id; 'DEFAULT/member_role_name': value => $member_role_name; diff --git a/manifests/roles/admin.pp b/manifests/roles/admin.pp deleted file mode 100644 index 1a6cf87dd..000000000 --- a/manifests/roles/admin.pp +++ /dev/null @@ -1,102 +0,0 @@ -# == Class: keystone::roles::admin -# -# DEPRECATED! -# -# This class implements some reasonable admin defaults for keystone. -# -# It creates the following keystone objects: -# * service tenant (tenant used by all service users) -# * "admin" tenant (defaults to "openstack") -# * admin user (that defaults to the "admin" tenant) -# * admin role -# * adds admin role to admin user on the "admin" tenant -# -# === Parameters: -# -# [*password*] -# The admin password. Required. In a later release -# this will default to $keystone::admin_password. -# Defaults to undef -# -# [*email*] -# The email address for the admin. Optional. -# Defaults to undef -# -# [*admin_roles*] -# The list of the roles with admin privileges. Optional. -# Defaults to undef -# -# [*admin_tenant*] -# The name of the tenant to be used for admin privileges. Optional. -# Defaults to openstack. -# -# [*service_tenant*] -# The name of service keystone tenant. Optional. -# Defaults to undef -# -# [*admin*] -# Admin user. Optional. -# Defaults to undef -# -# [*admin_tenant_desc*] -# Optional. Description for admin tenant, -# Defaults to undef -# -# [*service_tenant_desc*] -# Optional. Description for admin tenant, -# Defaults to undef -# -# [*configure_user*] -# Optional. Should the admin user be created? -# Defaults to undef -# -# [*configure_user_role*] -# Optional. Should the admin role be configured for the admin user? -# Defaults to undef -# -# [*admin_user_domain*] -# Optional. Domain of the admin user -# Defaults to undef (undef will resolve to class keystone $default_domain) -# -# [*target_admin_domain*] -# Optional. Domain where the admin user will have the $admin_role -# Defaults to undef (undef will not associate the $admin_role to any -# domain, only project) -# -# [*admin_project_domain*] -# Optional. Domain of the admin tenant -# Defaults to undef (undef will resolve to class keystone $default_domain) -# -# [*service_project_domain*] -# Optional. Domain for $service_tenant -# Defaults to undef (undef will resolve to class keystone $default_domain) -# -# == Dependencies -# == Examples -# == Authors -# -# Dan Bode dan@puppetlabs.com -# -# == Copyright -# -# Copyright 2012 Puppetlabs Inc, unless otherwise noted. -# -class keystone::roles::admin( - $password = undef, - $email = undef, - $admin = undef, - $admin_tenant = 'openstack', - $admin_roles = undef, - $service_tenant = undef, - $admin_tenant_desc = undef, - $service_tenant_desc = undef, - $configure_user = undef, - $configure_user_role = undef, - $admin_user_domain = undef, - $admin_project_domain = undef, - $service_project_domain = undef, - $target_admin_domain = undef, -) { - - warning('The keystone::roles::admin class has been replaced with keystone::bootstrap class') -} diff --git a/releasenotes/notes/remove-deprecated-bootstrap-2b81ba7a7b0b4d5d.yaml b/releasenotes/notes/remove-deprecated-bootstrap-2b81ba7a7b0b4d5d.yaml new file mode 100644 index 000000000..b4ebbcdf2 --- /dev/null +++ b/releasenotes/notes/remove-deprecated-bootstrap-2b81ba7a7b0b4d5d.yaml @@ -0,0 +1,11 @@ +--- +upgrade: + - | + The classes keystone::endpoint and keystone::roles::admin is removed, use + the new keystone::bootstrap class directly. + - | + The password parameter in keystone::bootstrap is required and does not + default to undef. + - | + The deprecated parameters admin_token, admin_password and enable_bootstrap + in the keystone class is removed. diff --git a/spec/classes/keystone_federation_identity_provider_spec.rb b/spec/classes/keystone_federation_identity_provider_spec.rb index ba25485c9..5e9833ebb 100644 --- a/spec/classes/keystone_federation_identity_provider_spec.rb +++ b/spec/classes/keystone_federation_identity_provider_spec.rb @@ -4,7 +4,6 @@ describe 'keystone::federation::identity_provider' do let :pre_condition do "class { 'keystone': - admin_token => 'dummy', service_name => 'httpd', enable_ssl=> true }" end @@ -37,7 +36,6 @@ describe 'keystone::federation::identity_provider' do context 'keystone not running under apache' do let :pre_condition do "class { 'keystone': - admin_token => 'dummy', service_name => 'keystone', enable_ssl=> true }" end diff --git a/spec/classes/keystone_federation_openidc_spec.rb b/spec/classes/keystone_federation_openidc_spec.rb index 10e767575..0e48e2d53 100644 --- a/spec/classes/keystone_federation_openidc_spec.rb +++ b/spec/classes/keystone_federation_openidc_spec.rb @@ -8,9 +8,7 @@ describe 'keystone::federation::openidc' do let(:pre_condition) do <<-EOS - class { 'keystone': - admin_token => 'service_token', - } + class { 'keystone': } include keystone::wsgi::apache EOS diff --git a/spec/classes/keystone_federation_spec.rb b/spec/classes/keystone_federation_spec.rb index ab4251086..0ab891adf 100644 --- a/spec/classes/keystone_federation_spec.rb +++ b/spec/classes/keystone_federation_spec.rb @@ -4,10 +4,7 @@ describe 'keystone::federation' do let(:pre_condition) do <<-EOS - class { 'keystone': - admin_token => 'service_token', - admin_password => 'special_password', - } + class { 'keystone': } EOS end diff --git a/spec/classes/keystone_wsgi_apache_spec.rb b/spec/classes/keystone_wsgi_apache_spec.rb index 6c30e3fe0..9515bf66d 100644 --- a/spec/classes/keystone_wsgi_apache_spec.rb +++ b/spec/classes/keystone_wsgi_apache_spec.rb @@ -4,7 +4,6 @@ describe 'keystone::wsgi::apache' do let :pre_condition do "class { 'keystone': - admin_token => 'dummy', service_name => 'httpd', enable_ssl => true, }" diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 1f1a2c0bd..e8ae4c00f 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -26,7 +26,6 @@ def setup_provider_tests def self.reset @public_endpoint = nil @tenant_hash = nil - @admin_token = nil @keystone_file = nil Puppet::Provider::Keystone.class_variable_set('@@default_domain_id', nil) @domain_hash = nil